A new wave of phishing attacks purporting to originate from South Korea’s National Tax Service has emerged, leveraging familiar electronic document notifications to trick recipients into divulging their Naver credentials.
Distributed on August 25, 2025, the email mimics the official format used by Naver’s secure document service, displaying the sender as “National Tax Service” and warning that failure to view the “September Tax Return Payment Due Notice” by August 31 will result in alternative delivery methods.
The message conveys urgency and legitimacy through a plausible subject line and formatting, but subtle anomalies reveal its malicious intent.
Upon closer inspection of the email header, forensic analysis shows that the message was dispatched from Mail.ru infrastructure rather than an official NTS server.
The return‐path is [email protected], and the sender IP 95.163.59.13 corresponds to send174.i.mail.ru. Despite passing SPF, DKIM, and DMARC checks, the email’s ARC chain indicates the first authenticated-received-chain step only, without organizational endorsement.
.webp "Beware of Phishing Email from Kimusky Hackers With Subject Spetember Tax Return Due Date Notice 3")
Wezard4u Tistory analysts identified that the absence of official NTS domain records in DNS lookups is a clear red flag for cyber defenders and informed users of these inconsistencies.
Embedded within the body of the email is a link to hxxp://n-info.bill-nts.server-on.net/users2/?m=3Duggcf%3N…&[email protected], where the “m” parameter conceals a percent-encoded and ROT13/Base64-mixed URL.
Decoding reveals a redirection to nid.naver.com, a fabricated login portal designed to harvest credentials.
The malicious site replicates Naver’s login interface with precise styling, prompting users to enter their username and password under the guise of viewing an official document.
.webp "Beware of Phishing Email from Kimusky Hackers With Subject Spetember Tax Return Due Date Notice 4")
JavaScript injected into the page captures input fields and posts them to a remote server controlled by Kimsuky.
Detection Evasion Techniques
Kimsuky’s payload employs multiple evasion tactics to bypass automated filters and human scrutiny.
By fragmenting the redirect URL across percent-encoding, Base64, and ROT13 layers, the attackers obfuscate the true destination of the link, complicating URL pattern matching by security gateways.
A simplified Python snippet illustrates the decoding process discovered in the link analysis:-
import urllib.parse, codecs, base64
raw_param = "uggcf%253N%252S%252Sznvy(.)anire(.)pbz"
decoded = urllib.parse.unquote(raw_param)
rot13 = codecs.decode(decoded, "rot_13")
payload = base64.b64decode(rot13)
print(payload.decode())This routine transforms the encoded string into nid.naver.com, confirming the phishing destination.
Additionally, the email relies on legitimate Mail.ru TLSv1.3 encryption, ensuring transmission encryption from the sender server to Naver’s mail gateway and further reducing suspicion.
By combining header forgery, layered URL obfuscation, and realistic UI replication, Kimsuky achieves a high success rate in credential theft campaigns.
Cybersecurity teams should monitor for Mail.ru–origin traffic masquerading with official domain names and implement decoding routines to flag mixed-encoding URLs.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
